Tech_Supp0rt:1

Target IP: 10.10.86.131

Hack into the scammer's under-development website to foil their plans.


Scanning

bb8b8bf987112909b5f3cc5407b2c58a.png
There are four TCP ports open on the target machine: SSH, HTTP, and SMB.


Enumeration

Ports 139 and 445: SMB
fa615076d32c801554d4275e69f79cfd.png
Since the SMB is open and allows guest login, I started my enumeration here. There is a share called websvr that contains the file enter.txt.

37729f93e22846882b5a7d1ccb4c3dd9.png
The enter.txt file contains the content above. However, the password is encrypted. There is a hint to use magic which can be found at Cyberchef. The credential belongs to the Subrion CMS.

41ae9854c608f08a8c5f8f9763bc7652.png
Using the magic operation against the ciphertext in Cyberchef, I obtained the password Scam2021. Now I have the credential admin:Scam2021 for the Subrion CMS application.

9dc71f036b2f70301b7274f53ff17bc8.png
Doing a directory search shows the interesting entries above.

351ed0c341bf60cc0b5c35996782d051.png
The /test contains the webpage above. It looks like a fake scareware pop-up made by the scammers to target people.

99c2d5e2f4e9fa56aeb89ba6b5ea3d40.png
The /wordpress directory shows the webpage above. After enumerating for some time, I did not find anything useful.

8774fc7fc56a722226478840586a60c1.png
From previous enumeration, I found the credential for Subrion CMS. So I wanted to see if this application exists. Using the command gobuster dir -u http://10.10.86.131/subrion/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt -s 200 -b "", I got a hit! The entires above are displayed for this CMS application. The panel.php sounds like an admin panel.

700faa1b9288ddf6a544cf2a20237fde.png
Now I have access to the login page of the CMS by browsing to the /panel page.

f731282a7bbd215d1155de7b994887cf.png
And using the credential admin:Scam2021, I gained access to the CMS application. The target is running the version 4.2.1. This application is vulnerable to RCE from file upload.


Exploitation

c08e1245d4ae22b7562f37eee7e0df69.png
Using searchsploit, I made a copy of the exploit on my local machine.

54c862c094d8a4b1869016f603a4ec9e.png
I ran the exploit against the target machine. This gave me a simple web-shell. However, I upgraded this to a reverse shell connection using a Python reverse shell script. Now I have a foothold on the target machine.


Privilege Escalation

cde75e3f3a1e409b6dbd163c136d8b70.png
The wp-config.php contains the credential support:ImAScammerLOL!123!.

d763bd1eab9319a11d2ac55c94ea856e.png
And using this new password ImAScammerLOL!123! against the user scamsite worked. Now I have elevated my privileges from www-data to scamsite user.

2225d6cbe368b1626a42127f724239b4.png
Looks like this user can execute the binary /usr/bin/iconv. I can use this binary to read the files such as shadow.

708db4f90e1687ec8d57feac30b57886.png
I managed to obtain the shadow file which contains the password hash of the user root, but I am unable to decrypt it. This binary can be used to write contents too, so it is possible to overwrite the authorized_keys with my own SSH key. But gaining the one flag was the mission.


Flags

f104928ef13b341f3059f192f99ada8c.png
The root.txt flag.